• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Network   »   The Inside Scoop on the World’s Leading Bug Bounty Program

The Inside Scoop on the World’s Leading Bug Bounty Program

  • Posted on:June 22, 2017
  • Posted in:Network, Security, Zero Day Initiative
  • Posted by:
    Dustin Childs (Zero Day Initiative Communications)
0

Within the security researcher community, the Zero Day Initiative (ZDI) program is a well-known entity, representing the world’s largest vendor agnostic bug bounty program. Customers of the TippingPoint Intrusion Prevention Systems (IPS) and Threat Protection Systems (TPS) know the ZDI as the group that buys 0-days so they have protections before the affected vendor releases a patch. Outside of those communities, there may be misconceptions about what happens behind the scenes when dealing with so many bugs.

At a high level, here’s how the program works. An independent researcher finds an otherwise unknown vulnerability (e.g. 0-day) in a piece of software and reports that to the ZDI. The researcher can be from just about anywhere – we have worked with more than 3,000 different researchers from 80+ countries. Being vendor agnostic means the software can be just about anything, too. In 2016, the ZDI purchased 0-days impacting 49 different vendors, including large vendors like Microsoft and Adobe as well as small, industry specific vendors like those in the SCADA realm. Once the bugs are verified by our internal researchers, we buy the bug – offering a variable price based on many factors (i.e. quality of the write-up, ubiquity of the target, ease of exploit, etc.).

Now that we confirmed the bug is real, two different things happen. First, the Digital Vaccine team creates filters for Trend Micro customers, which provides them an overage of 57 days of protection against these 0-days before anyone else. Perhaps more importantly, the bug is then disclosed to the vendor. The ZDI team works with the vendor to ensure an intrusion prevention system is developed and released to the public. So even if you don’t use any Trend Micro products, your enterprise security is strengthened by the ZDI program. How often does this occur? Well, for the past three years, the ZDI has been the number one supplier of bugs to Microsoft, Adobe, and SCADA vendors amongst others. That equates to more than 2,100 patches just since 2014, and we’ve been doing this since 2005.

Another group familiar with the ZDI program are the vendors receiving our bug reports. Although it may seem to be an adversarial relationship, we do everything we can to assist vendors throughout the process. And vendor size or name recognition doesn’t matter to us – we strive to treat all vendors equitably. We provide accountability to both customers and researchers by listing when vulnerabilities are reported, which is not done by other bug bounty programs. After 120 days, if the vendor hasn’t made a patch available, we release additional information about the bug so that enterprises can gauge the risk to their systems. Unlike some, if the vendor is making significant progress towards a patch, we do extend this deadline provided real work is being done. In fact, there are some that consider us the cheapest and friendliest code audit they didn’t know to ask for, and we’re just fine with that.

Researchers from the ZDI also run the annual Pwn2Own competition, which just celebrated its 10th anniversary. Starting with a simple laptop that had to be exploited (e.g. pwned), a successful attempt earned the researcher the target laptop (thus the own). From those humble beginnings, the contest has evolved into a premier event impacting the security design of the participating targets. The level of difficulty ratchets up, as well. For standard reports through the program, a simple description and demonstration suffices. For Pwn2Own, a fully-functional exploit chain is required for a win. Of course, the prices go up for higher quality exploits, too. This year we awarded $833,000 USD in three days while acquiring 51 new 0-day bugs. These bugs go beyond simple patches. Vendors began implementing defense-in-depth measures and additional protections based on the results of the contest – making each new Pwn2Own more difficult than the last. These improvements reach consumers and enterprise users through updates, making their systems more resilient, as well.

Though little known outside specific circles, the ZDI program has wide-ranging impacts. The program assists in the coordinated disclosure of vulnerabilities, which gives affected vendors the opportunity to issue patches to the public before the bugs are used maliciously. By providing public notification dates, we provide accountability to help ensure vendors don’t ignore researcher reports. The resulting patches and program improvements positively impact the community at large, even though they might not have realized where the research originated. As seen in recent ransomware attacks, proper patch management can be the difference between a nuisance and a multimillion-dollar recovery.

There is no such thing as secure software – at least not any software that actually does anything. As the industry and software itself evolves, we’ll continue to evolve with it. Our goal continues to be finding and disclosing security bugs in popular software, working with independent researchers from around the globe, and reporting these findings to the vendors so they can fix things in a timely manner. It might not always be easy, but it will continue to be worth doing – whether everyone realizes it or not.

Related posts:

  1. Vulnerabilities are a Cybercriminal’s Best Friend
  2. The Real-World Impact of Bug Bounties and Vulnerability Research
  3. ZDI at 10: 10 Fascinating Facts About 10 Years of Bug Hunting
  4. When Phishing Starts from the Inside

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.